Lack of abuse detection allows cloud computing instances to be used like botnets, study says

Some cloud providers fail to detect and block malicious traffic originating from their networks, which provides cybercriminals with an opportunity to launch attacks in a botnet-like fashion, according to a report from Australian security consultancy firm Stratsec.

Researchers from Stratsec, a subsidiary of British defense and aerospace giant BAE Systems, reached this conclusion after performing a series of experiments on the infrastructure of five "common," but unnamed, cloud providers.

The experiments involved sending different types of malicious traffic from remotely controlled cloud instances (virtual machines) to a number of test servers running common services such as HTTP, FTP and SMTP.

In one test case, services running on a targeted server were accessible from the Internet, but the server was located in a typical network environment, behind a firewall and an IDS (intrusion detection system). The goal of this particular test was to see how the cloud provider would respond to the presence of outbound malicious traffic originating from its network.

In a different experiment, the targeted test server was set up inside a separate cloud instance from the same provider in order to test if the provider would detect malicious traffic sent over its own internal network.

A third experiment involved the targeted server running inside a cloud instance at a different cloud provider in order to test how that provider would deal with incoming malicious traffic.

The experiments involved sending malformed network packets and performing aggressive port scanning; sending malware to the victim host via a reverse shell; performing a denial of service attack against a Web server running on the targeted host, performing a brute-force FTP password cracking attack; launching SQL injection, cross-site scripting, path traversal and other attacks against popular Web applications running on the targeted host; and sending known exploit payloads to various services running on the host.

In one experiment, some types of malicious activity, like port scanning, were executed for 48 hours in order to see if a large traffic volume and longer attack duration would trigger a response from the cloud provider.

"The results of the experiment showed that no connections were reset or terminated when transmitting inbound and outbound malicious traffic, no alerts were raised to the owner of the accounts, and no restrictions were placed on the Cloud instances," Stratsec senior consultant Pedram Hayati said Monday in a blog post.

Based on these results, Hayati concluded that cybercriminals could easily create and use botnets that run on cloud instances.

Such botnets would be relatively easy to set up and administer if one learns the cloud provider's API (application programming interface), would take less time to build than traditional botnets because replicating cloud instances can be done very fast, would be more stable because cloud instances have a very good uptime, would be more effective because of the increased computing power and bandwidth available to the cloud instances and wouldn't cost much, Hayati said.

"Based on our experiment, with the budget of as low as $7 and minimum hardware specification, it is possible to set up a botCloud with tens to hundreds of Cloud instances," the Stratsec consultant said. "We define 'botCloud' as a group of Cloud instances that are commanded and controlled by a malicious entity to initiate cyber-security attacks."

However, there are also disadvantages to operating such a botnet. For example, this type of botnet is probably not very resilient to takedown efforts, because cloud providers will likely shut down the offending cloud instances down once they receive an abuse notification from security researchers or victims.

"Computing is becoming cheaper and cheaper and for something like $10 one can buy enough computing power to take down a small website for a few hours," Costin Raiu, director of the Global Research & Analysis Team at antivirus vendor Kaspersky Lab, said Tuesday via email. "However, it's also important to say that 'traditional' methods of infecting users with trojans are probably even cheaper and much more resilient to takedowns."

"It takes a lot of time to find a user which is infected by something like a bot from the Pandora DDoS family and convince him to clean his PC," Raiu said. "Such infections can last for weeks or for months - making them a lot cheaper than cloud computing solutions."

That said, cloud platforms can definitely be useful to launch vulnerability scans that can be followed or complemented by other attacks executed with the help of traditional botnets, Raiu said. "I believe that cloud providers should definitely look a bit more into improving the security of their configs."

"The experiment suggests that providers BAE looked at may not be prioritizing monitoring for malicious traffic and the sound implementation of security measures that you'd expect to be implemented on a corporate network," David Harley, a senior research fellow at antivirus vendor ESET, said Tuesday via email. "I can't comment on how typical these providers were. However, when and where cloud providers do implement such countermeasures, the overheads for developing a resilient malicious network are likely to increase sharply."

When making the switch to cloud computing, organizations should search for cloud providers that use high-end firewalls and intrusion detection systems and which undertake regular independent security tests of their environments, Hayati said. "Do not get tempted with ease of use and cheap cost."

In addition, companies should not treat traffic that is coming from public cloud providers as safe, he said.

Copyright 2015 IDG Communications. ABN 14 001 592 650. All rights reserved.
Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.